Sage suffers data breach from insider

Software company Sage has reportedly suffered a data breach orchestrated by an insider of the company. The police are investigating and the ICO has been informed.

The insider threat - should all employees be treated suspiciously?
The insider threat - should all employees be treated suspiciously?

Software company Sage has reportedly suffered a data breach orchestrated by an insider of the company.

Police are said to be investigating unauthorised access to the company's systems, which came from an internal company login and allegedly allowed access to the personal information of employees at 280 UK businesses.

The company, which provides business software for accounting and payroll services to firms across 23 countries, says it is taking the breach extremely seriously.

Although there has been no news on if the data has been stolen or only viewed, the Information Commissioner's Office (ICO) has been notified.

If the ICO decides that Sage acted negligently, it could face anything from criminal prosecution, non-criminal enforcement, or a full audit of the company.

The companies affected by this breach have all been notified, and Sage has advised that its customers should be on the lookout for any unusual activity.

Kevin Cunningham, founder of SailPoint told SCMagazineUK.com: “In today's digital world, users need access to a myriad of critical systems, applications, and data in order to do their jobs. IT can only do so much to protect the internal infrastructure, but with the right tools in place to put some onus back on the employees they can help alleviate the burden. It falls to the employees and management to ensure that protecting sensitive information is of the utmost importance.”

Recent research by Splunk and IDC on internal threats showed  businesses aren't worried about the threat of a malicious insider – Only 12 percent  of business reported it as being of high concern for their business and only 27 percent are worried about poor end‐user security practices.

Some organisations have no approach to detecting the activity which leads to accidental breaches at all. Only 12 percent of organisations use user behaviour analytics to detect anomalies. 27 percent of respondents do not use basic methods of breach detection.

Despite this, over 40 percent of businesses are worried about theft of company data, unauthorised access to commercial or confidential company and customer or personnel data, and worryingly, there is more threat from hapless users than there is from malicious insiders.

Most organisations are much more concerned about threat types such as viruses, APTs, and phishing. The majority of these types relate directly to another type of threat: that of accidental breaches enabled or caused by hapless users. But because organisations do not think about these threats in this way, most are focusing on traditional perimeter-based security measures. This means that they are looking in the wrong places to detect attacks and avoid breaches caused by hapless users.

Eduard Meelhuysen, vice president EMEA for Netskope told SC: “The data breach at Sage is a powerful reminder that although many businesses look to protect their data from outside threats, the uncomfortable truth is that a significant risk often comes from the inside. Whether true human error, compromised account details, malicious insiders or a lack of awareness around IT rules and how to help protect the company's data, the insider element needs to form part of the wider security strategy along with external threats.”

Meelhuysen said: “It has become more difficult to keep track of employee activity, and which data they can access, as enterprise cloud use continues to grow: on average there are now 777 cloud apps in use within European organisations. 94.4 percent of these apps are not enterprise-ready from a security standpoint meaning that sensitive corporate data may be exposed without staff even realising it. Yet mitigating security risks from a company's entire cloud app ecosystem and on premise systems cannot be completed in one fell swoop.